CVE-2024-24496
published 2024-02-08CVE-2024-24496: An issue in Daily Habit Tracker v.1.0 allows a remote attacker to manipulate trackers via the home.php, add-tracker.php, delete-tracker.php, update-tracker.php…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.50%
97.0th percentile
An issue in Daily Habit Tracker v.1.0 allows a remote attacker to manipulate trackers via the home.php, add-tracker.php, delete-tracker.php, update-tracker.php components.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| remyandrade | daily_habit_tracker | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /habit-tracker/endpoint/add-tracker.php HTTP/1.1
date=1443-01-02&day=Monday&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes↗
- →Detect unauthenticated POST requests to add-tracker.php and update-tracker.php endpoints — no session/auth cookie present in the request headers. ↗
- →Alert on GET requests to delete-tracker.php with a numeric 'tracker' parameter from unauthenticated sessions, indicating unauthorized deletion attempts. ↗
- →Monitor for direct navigation to home.php without a preceding authenticated session, as the application performs no authentication check on this page. ↗
- →Flag POST requests to /habit-tracker/endpoint/ paths where the Referer header is set to home.php but no valid session token is present — consistent with PoC exploit pattern. ↗
- ·The exploit targets Daily Habit Tracker version 1.0 specifically; the vulnerable endpoints are under the /habit-tracker/endpoint/ path, which may differ if the application is installed in a non-default directory. ↗
- ·All four components (home.php, add-tracker.php, delete-tracker.php, update-tracker.php) lack authentication checks independently, meaning partial patching of only some endpoints leaves the application still exploitable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2024-02-08
Published